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Abstract 


This document describes the cryptographic hash function BLAKE2 and 
makes the algorithm specification and C source code conveniently 
available to the Internet community. BLAKE2 comes in two main 
flavors: BLAKE2b is optimized for 64-bit platforms and BLAKE2s for 
smaller architectures. BLAKE2 can be directly keyed, making it 
functionally equivalent to a Message Authentication Code (MAC). 
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This is a contribution to the RFC Series, independently of any other 
RFC stream. The RFC Editor has chosen to publish this document at 
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implementation or deployment. Documents approved for publication by 
the RFC Editor are not a candidate for any level of Internet 
Standard; see Section 2 of RFC 5741. 


Information about the current status of this document, any errata, 
and how to provide feedback on it may be obtained at 
http://www.rfc-editor.org/info/rfc7693. 
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document authors. All rights reserved. 


This document is subject to BCP 78 and the IETF Trust’s Legal 
Provisions Relating to IETF Documents 
(http://trustee.ietf.org/license-info) in effect on the date of 
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carefully, as they describe your rights and restrictions with respect 
to this document. 
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Les 


Introduction and Terminology 


The BLAKE2 cryptographic hash function [BLAKE2] was designed by Jean- 
Philippe Aumasson, Samuel Neves, Zooko Wilcox-O’Hearn, and Christian 
Winnerlein. 


BLAKE2 comes in two basic flavors: 


o BLAKE2b (or just BLAKE2) is optimized for 64-bit platforms and 
produces digests of any size between 1 and 64 bytes. 


o BLAKE2s is optimized for 8- to 32-bit platforms and produces 
digests of any size between 1 and 32 bytes. 


Both BLAKE2b and BLAKE2s are believed to be highly secure and perform 
well on any platform, software, or hardware. BLAKE2 does not require 
a special "HMAC" (Hashed Message Authentication Code) construction 
for keyed message authentication as it has a built-in keying 
mechanism. 


The BLAKE2 hash function may be used by digital signature algorithms 
and message authentication and integrity protection mechanisms in 
applications such as Public Key Infrastructure (PKI), secure 
communication protocols, cloud storage, intrusion detection, forensic 
suites, and version control systems. 


The BLAKE2 suite provides a more efficient alternative to US Secure 
Hash Algorithms SHA and HMAC-SHA [RFC6234]. BLAKE2s-128 is 
especially suited as a fast and more secure drop-in replacement to 
MD5 and HMAC-MD5 in legacy applications [RFC6151]. 


To aid implementation, we provide a trace of BLAKE2b-512 hash 
computation in Appendix A and a trace of BLAKE2s-256 hash computation 
in Appendix B. Due to space constraints, this document does not 
contain a full set of test vectors for BLAKE2. 


A reference implementation in C programming language for BLAKE2b can 
be found in Appendix C and for BLAKE2s in Appendix D of this 
document. These implementations MAY be validated with the more 
exhaustive Test Module contained in Appendix E. 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in [RFC2119]. 
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The following table summarizes various parameters and their ranges: 


| BLAKE2b | BLAKE2s | 
o $ O 
Bits in word w 64 w 32 
Rounds in F r= 12 B 10 
Block bytes | bb = 128 | bb = 64 | 
Hash bytes | 1 <= nn <= 64 | 1 <= nn <= 32 | 
Key bytes | 0 <= kk <= 64 | 0 <= kk <= 32 | 
Input bytes | 0 <= 11 < 2**128 | 0 <= 11 < 2**64 | 
oo 4+------------------+4------------------4+ 
G Rotation (R1, R2, R3, R4) (R1, R2, R3, R4) 
constants = (32, 24, 16, 63) (16, 12, 8, 7) 
oo 4+------------------4------------------+ 
2.2. Other Constants and Variable 
These variables are used in the algorithm description: 
IV[0..7] Initialization Vector (constant). 
SIGMA[0..9] Message word permutations (constant). 
¡0 Parameter block (defines hash and key sizes). 
m[0.. Sixteen words of a single message block. 
h[0.. Internal state of the hash. 
d[0..dd-1] Padded input blocks. Each has "bb" bytes. 
t Message byte offset at the end of the current block. 
f Flag indicating the last block. 
2.3. Arithmetic Notation 
For real-valued x, we define the following functions: 
floor(x) Floor, the largest integer <= x. 
ceil (x) Ceiling, the smallest integer >= x. 
frac(x) Positive fractional part of x, frac(x) = — floor (x) 
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Operator notation in pseudocode: 


2**n = 2 to the power "n". 2**0=1, 2**1=2, 2**2=4, 2**3=8, etc. 
a ^b = Bitwise exclusive-or operation between "a" and "p". 

a mod b = Remainder "a" modulo "b", always in range [0, b-1]. 

x >> n = floor(x / 2**n). Logical shift "x" right by "n" bits. 
x << = (x * 2**n) mod (2**w). Logical shift "x" left by "n". 
x >>> n= (x >> n) ^ (x << (Ww - n)). Rotate "x" right by "n". 


2.4. Little-Endian Interpretation of Words as Bytes 


All mathematical operations are on 64-bit words in BLAKE2b and on 
32-bit words in BLAKE2s. 


We may also perform operations on vectors of words. Vector indexing 
is zero based; the first element of an n-element vector "v" is v[0] 
and the last one is v[n - 1]. All elements are denoted by v[0..n-1]. 
Byte (octet) streams are interpreted as words in little-endian order, 
with the least-significant byte first. Consider this sequence of 
eight hexadecimal bytes: 

x[0..7] = 0x01 0x23 0x45 0x67 0x89 OxAB OxCD OxEF 


When interpreted as a 32-bit word from the beginning memory address, 
x[0..3] has a numerical value of 0x67452301 or 1732584193. 


When interpreted as a 64-bit word, bytes x[0..7] have a numerical 
value of OxEFCDAB8967452301 or 17279655951921914625. 


2.5. Parameter Block 


We specify the parameter block words p[0..7] as follows: 


byte offset: 3210 (otherwise zero) 
p[0] = 0x0101kknn p[1l..7] = 0 
Here the "nn" byte specifies the hash size in bytes. The second 


(little-endian) byte of the parameter block, "kk", specifies the key 
size in bytes. Set kk = 00 for unkeyed hashing. Bytes 2 and 3 are 
set as 01. All other bytes in the parameter block are set as zero. 
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Note: [BLAKE2] defines additional variants of BLAKE2 with features 
such as salting, personalized hashes, and tree hashing. These 
OPTIONAL features use fields in the parameter block that are not 
defined in this document. 


2.6. Initialization Vector 
We define the Initialization Vector constant IV mathematically as: 
IV[i] = floor(2**w * frac(sqrt (prime (i+1)))), where prime (i) 
is the i:th prime number ( 2, 3, 5, 7, 11, 13, 17, 19 ) 


and sqrt(x) is the square root of x. 


The numerical values of IV can also be found in implementations in 
Appendices C and D for BLAKE2b and BLAKE2s, respectively. 


Note: BLAKE2b IV is the same as SHA-512 IV, and BLAKE2s IV is the 
same as SHA-256 IV; see [RFC6234]. 


2.7. Message Schedule SIGMA 
Message word schedule permutations for each round of both BLAKE2b and 


BLAKE2s are defined by SIGMA. For BLAKE2b, the two extra 
permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[O..1]. 


Round’: | 0O 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | 
pas ii 
SIGMA[0] O 1 2 3 4 5 6 7 8 910 11 12 13 14 15 
SIGMA[1] | 14 10 4 8 91513 6 112 0 211 7 5 3 
SIGMA[2] | 11 812 0 5 2 15 13 10 14 3 6 7 1 9 4| 
SIGMA[3] | 7 9 3 1 13 12 11 14 2 6 510 4 015 8| 
SIGMA[4] | 9 0 5 7 2 410 15 14 11112 6 8 313 | 
SIGMA[5] | 212 610 011 8 3 413 7 515 14 1 9| 
SIGMA[6] | de e MASAS ALO oO. PG 135 9,32 811 | 
SIGMA[7] | 13 11 7 14 12 1 3 9 5 015 4 8 6 210 
SIGMA[8] | 61514 911 3 0 812 213 7 1 410 5 | 
SIGMA[9] | 10 2 8 4 7 6 1 51511 914 312 13 0| 
ES ra So SS o SS Se Ss SR 
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3. BLAKE2 Processing 

3.1. Mixing Function G 
The G primitive function mixes two input words, "x" and "y", into 
four words indexed by "a", "b", "c", and "d" in the working vector 
v[0..15]. The full modified vector is returned. The rotation 


constants (R1, R2, R3, R4) are given in Section 2.1. 


FUNCTION G( v[0..15], a, b, c, d, X, y ) 


| 
| val := (v[a] + v[b] + x) mod 2**w 
| vid] := (v[d] ^ v[al) >>> R1 
| vle] := (v[el + vid]) mod 2**w 
| vib] += (v[b] ^ v[c]) >>> R2 
v[a] := (v[a] + v[b] + y) mod 2**w 
v[d] := (v[d] ^ v[a]) >>> R3 
v[c] := (v[c] + v[d]) mod 2**w 
v[b] := (v[b] ^ v[c]) >>> R4 


RETURN v[0..15] 


ND FUNCTION. 
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3.2. Compression Function F 


Compression function F takes as an argument the state vector "h", 
message block vector "m" (last block is padded with zeros to full 
block size, if required), 2w-bit offset counter "t", and final block 
indicator flag "f". Local vector v[0..15] is used in processing. F 
returns a new state vector. The number of rounds, "r", is 12 for 
BLAKE2b and 10 for BLAKE2s. Rounds are numbered from 0 to r - 1. 


FUNCTION F( h[0..7], m[0..15], t, £ ) 


// Initialize local work vector v[0..15] 


A TI e= | // First half from state. 
v[8..15] := IV[0..7] // Second half from IV. 
v[12] := v[12] ^ (t mod 2**w) // Low word of the offset. 
v[13] := v[13] ^ (t >> w) // High word. 

IF f = TRUE THEN // last block flag? 

| v[14] := v[14] ^ OxFF..FF // Invert all bits. 

END IF. 


// Cryptographic mixing 
FOR i= 0 TO r- 1 DO // Ten or twelve rounds. 


// Message word selection permutation for this round. 


| 
| s[0..15] := SIGMA[i mod 10][0..15] 
| v := G( v, 0, 4, 8, 12, m[s[ 0]], mis[ ) 
[) “eric Dy Sy? 9 13, mist 2) > misi ) 
| vi :=G(v, 2, 6, 10, 14, m[s[ 41], mi[s[ ) 
| SC v, 3, 7, 11, 15, mis[ 6]l, misI[ ) 
| 
v := G( v, 0, 5, 10, 15, m[s[ 8]], m[s[ 9]] ) 
v := G( v, 1, 6, 11, 12, m[s[10]], m[s[11]] ) 
| AR PS G( v, 2,7, 8, 13, m[s[12]], m[s[13]] ) 
| v := G( v, 3, 4, 9, 14, m[s[14]], m[s[15]] ) 
| 
END FOR 
FOR i = 0 TO 7 DO // XOR the two halves. 
[DEY := h[i] ^ v[i] ^ v[i + 8] 
END FOR. 
RETURN h[0..7] // New state. 


| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
E 


ND FUNCTION. 
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3.3. Padding Data and Computing a BLAKE2 Digest 


We refer the reader to Appendices C and D for reference C language 
implementations of BLAKE2b and BLAKE2s, respectively. 


Key and data input are split and padded into "dd" message blocks 
d[0..dd-1], each consisting of 16 words (or "bb" bytes). 


If a secret key is used (kk > 0), it is padded with zero bytes and 
set as d[0]. Otherwise, d[0] is the first data block. The final 
data block d[dd-1] is also padded with zero to "bb" bytes (16 words). 


The number of blocks is therefore dd = ceil(kk / bb) + ceil(11 / bb). 
However, in the special case of an unkeyed empty message (kk = 0 and 
11 = 0), we still set dd = 1 and d[0] consists of all zeros. 
The following procedure processes the padded data blocks into an 
"nn"-byte final hash value. See Section 2 for a description of 
various variables and constants used. 
FUNCTION BLAKE2( d[0..dd-1], 11, kk, nn ) 
h[0..7] := IV[0..7] // Initialization Vector. 


// Parameter block p[0] 
h[0] := h[0] ^ 0x01010000 ^ (kk << 8) ^ nn 


// Process padded key and data blocks 


IF dd > 1 THEN 
| FOR i = 0 TO dd - 2 DO 


| 
| 
| 
| 
| 
| 
| 
| // Final block. 
| 
| 
| 
| 
| 
E 


| | h := F( h, d[i], (i + 1) * bb, FALSE ) 

| END FOR. 

END IF. 

IF kk = 0 THEN 

| h := F( h, d[dd - 1], 11, TRUE ) 

ELSE 

| h := F( h, d[dd - 1], 11 + bb, TRUE ) 

END IF. 

RETURN first "nn" bytes from little-endian word array h[]. 
ND FUNCTION. 
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4. Standard Parameter Sets and Algorithm Identifiers 


An implementation of BLAKE2b and/or BLAKE2s MAY support the following 
digest size parameters for interoperability (e.g., digital 
signatures), as long as a sufficient level of security is attained by 
the parameter selections. These parameters and identifiers are 
intended to be suitable as drop-in replacements to MD5 and 
corresponding SHA algorithms. 


Developers adapting BLAKE2 to ASN.1-based message formats SHOULD use 
the OID tree at x = 1.3.6.1.4.1.1722.12.2. The same OID can be used 
for both keyed and unkeyed hashing since in the latter case the key 

simply has zero length. 


Algorithm | Target | Collision | Hash | Hash ASN.1 | 

Identifier | Arch | Security | nn | OID Suffix | 

U F A E +--------+-----------4+------4--- AE a + 
id-blake2b160 | 64-bit | 2**80 | 20 |  x.1.5 | 

id-blake2b256 | 64-bit | 2**128 | 32 | x.1.8 | 

id-blake2b384 | 64-bit | 2**192 | 48 | x.1.12 | 

id-blake2b512 | 64-bit | 2**256 | 64 | x.1.16 | 

O A A === + 
id-blake2s128 | 32-bit | 2**64 | 16 | x.2.4 | 

id-blake2s160 | 32-bit | 2**80 | 20 |  x.2.5 | 

id-blake2s224 | 32-bit | 2**112 | 28 | x.2.7 | 

id-blake2s256 | 32-bit | 2**128 | 32 | x.2.8 | 

nas >= A e hte assests ssseotSs St 

hashAlgs OBJECT IDENTIFIER ::= { 


iso(1) identified-organization(3) dod(6) internet (1) 
private (4) enterprise(1) kudelski (1722) cryptography (12) 2 
} 
macAlgs OBJECT IDENTIFIER ::= { 
iso(1) identified-organization(3) dod(6) internet (1) 
private (4) enterprise(1) kudelski (1722) cryptography (12) 3 


} 


-- the two BLAKE2 variants -- 
blake2b OBJECT IDENTIFIER ::= { hashAlgs 1 } 
blake2s OBJECT IDENTIFIER ::= { hashAlgs 2 } 


-— BLAKE2b Identifiers -- 

id-blake2b160 OBJECT IDENTIFIER ::= 
id-blake2b256 OBJECT IDENTIFIER ::= 
id-blake2b384 OBJECT IDENTIFIER ::= 
id-blake2b512 OBJECT IDENTIFIER ::= 


blake2b 5 } 
blake2b 8 } 
blake2b 12 } 
blake2b 16 } 


AAA A 
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--— BLAKE2s Identifiers -- 


id-blake2s128 OBJECT IDENTIFIER ::= { blake2s 4 } 
id-blake2s160 OBJECT IDENTIFIER ::= { blake2s 5 ) 
id-blake2s224 OBJECT IDENTIFIER ::= { blake2s 7 } 
id-blake2s256 OBJECT IDENTIFIER ::= { blake2s 8 } 


5. Security Considerations 


This document is intended to provide convenient open-source access by 
the Internet community to the BLAKE2 cryptographic hash algorithm. 

We wish to make no independent assertion to its security in this 
document. We refer the reader to [BLAKE] and [BLAKE2] for detailed 
cryptanalytic rationale behind its design. 


In order to avoid bloat, the reference implementations in Appendices 
C and D may not erase all sensitive data (such as secret keys) 
immediately from process memory after use. Such cleanup can be added 
if needed. 
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Example of BLAKE2b Computation 


We compute the unkeyed hash of three ASCII bytes 
BLAKE2b-512 and show internal values during computation. 


m[16] 
(i= 0) v[16] 
(i= 1) v[16] 
(i= 2) v[16] 
(i= 3) v[16] 
(i= 4) v[16] 


Saarinen & Aumasson 


0000000000636261 
0000000000000000 
0000000000000000 
0000000000000000 
0000000000000000 
0000000000000000 


6A09E667F2BDC948 
A5D4FF53A5F1D36F1 
1F83D9ABFB41BD6B 


0000000000000000 
0000000000000000 
0000000000000000 
0000000000000000 
0000000000000000 


B67AE8584CAA73B 
10E527FADE682D1 


BB67AE8584CAA73B 


C6EF372FE94F82B 


510E527FADE682D2 
5BE0CD19137E2179 


86B7C1568029BB79 
O0C87CD524C14CC5D 
DEO80F1BB1COF84B 
6267FC79DF9ID6AD1 
E02D0975B8D37A83 
2318A24E2140FC64 


53281E83806010F2 
85F693F3DA53F974 
C6A22E2FFOF7AA48 
500E125E58A92923 
92A3AAAA6D952B7F 
572D17EFFDD37358 


60ED96AA7AD41725 
A2F8716E775C4877 
25A1422779E06D14 
22BDCE6976B08C51 
C804EBAB11C99FA9 
716343F52FDD265E 


BB2A77D3A8382351 
A36077DEE3370B89 
4F82C9401CB32D7A 
55908187977514A0 
086092CFB858437E 
3E7B5F234CD1F804 


B 
5 
5BE0CD19137E2179 
3 
9 


B05688C2B3E6C1F 


C12CBCC809FF59F3 
44EE6039BD86A9F'7 
595CB8A9A1ACA66C 
FA87B01273FA6DBE 
1C7B754F08B7D193 


3594B403F81B4393 
BAABDBB2F38 6D9AE 
C6A56A51CB89C595 
E9E4ADO0DO0OE1A0D48 
C5FDF71090FAE853 


E46A743C71800B9D 
DA0A61BCDE4267EA 
E6823AE4C3FF58A5 
F1DE8696BEC11BF1 
8E0CEC959C715793 


45EB47971F23B103 
8A03C4CB7E97590A 
8CCD013726420DC4 
5B44273E66B19D27 
5C4BE2156DBEECF9 


November 2015 


"abc" with 


0000000000000000 
0000000000000000 
0000000000000000 
0000000000000000 
0000000000000000 


3C6EF372FE94F82B 
9B05688C2B3E6C1F 
6A09E667F3BCC908 
A5D4FF53A5F1D36F1 
E07C265404BE4294 


C6A5214CCOERACA8E 
A447C850AA694A7E 
BEC3AE837EAC4887 
521A715C63E08D8A 
8F885A76B6E578FE 


8CD63C7462DEODFF 
CA5425AEC65A10A8 
224E6A3369224F96 
85DF9DC143C59A74 
2A8A40F15A462DD0 


1A04B543A01F156B 
B1DD230754D7BDEE 
A1677E19F37FD5DA 
A0EBD586A4A1D2C8 
7C45557FAEOD4D89 


98BE297F6E45C684 
24192E49EBF54EA0 
A9SC9A8F17B1FC614 
B6D5C9FCA2579327 
2EFEDE99ED4EFF16 
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(i= 5) 
(i= 6) 
(i= 7) 
(i= 8) 
(i= 9) 
(i=10) 
(i=11) 
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v[16] 


v[16] 


v[16] 


v[16] 


v[16] 


v[16] 


v[16] 
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C79C15B3D423B099 
8934EB09A3456052 
4EB0B76284C7AAFB 
2643C2370E49EBFD 
B97D2D439E4DF63D 
1205EA4A7859807D 


E58F97D6385BAEE4 
TOF6F41C8783C9F6 
OF244C62DDF 71788 
5C7912BC10DF3B4B 
8733794F07AC1500 
DB2161604CBC9828 


6E2D286EEADEDC81 


2DA2224E8DA97556 
OF6DIEEED157DA2A 
299C8E725D954697 
79E02EEF20CDB1AE 
C718E755294C9111 


7640AA9764DA137A 
7127CD48C76A7708 
219828AA83880842 
A2C3ABBD37510EE2 
C67A6BE42335AA6F 


BCF02C0787E86358 


55D899D40A5D0D0A 
258E55E0EC1F362A 
B78A9A33E9BFF4DD 
92AAC307CF2COAFC 
E03C6CC89C26BF 92 


FFC83ECE76024D01 
B7C2C7E6D88C285F 
3A1FAD7106232B8F 
A53D3F73AA619624 
3841DEF6F4C9848A 
B0B9F0D443D1A889 


753A70A1E8FAEADD 
BC7D062BODB5CF35 
490870ECAD27DEBD 
4A466BCD021526A4 
88ED6C4F3BD7A537 
FD3F572687FEA4F1 


E630C747CCD59C4F 
6727E81260610140 
40BD313009201AAB 
B3B0B51DE3C86270 
2C6B25593D717852 
01369EC18746E775 


E801F73B9768C760 
B51776ADF569A77B 
5DAC67921FF76949 
492 9CBE45679D73E 
61B5C0A41D491399 
02231E1A917FEOBD 


819415B56220C459 
3A3B4EC60E19DFDC 
57772'72AE1E930C0 
30AACCC4FO6DAFAA 


1BE7BFFB8C5CC5F9 
81937DA314A50838 
1C7EDE92AB8B9C46 
30BBCC0285A22F 65 
98662C85FBA726D4 


6BOD43CA2C25D629 
58540EE1B1AEBC47 
B2A90DDF667287FE 
5DA7F7638CEC5669 
19AE688DDF67F026 


BC713D41127571CA 
2D04185EAC2A8CBA 
0099D4F82A2A1EAB 
900AEE2F233B08E5 
37E8CA471BEAA5F8 


35C6D22320BE511D 
F4F1BE86690B3C34 
1CDB9D31AD70CC4E 
733D1A17248F39DB 
B5C333457E12844A 
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77D2B26DF1C45C55 
6FE66467AF88C0A9 
B2240B59E6D567D3 
64B3EED7BB602F39 
1F0893F2772BB373 


DEB4C7C23EFE287E 
9E472AFOBE3DB3F6 
41CCA9073C8C4D0D 
CB5668CC2A9F 7859 
ACB22B28681E4C82 


57D56A56DD015EDF 
B63C479A6A769F02 
04D769B3FCB048DB 
5A387849E578DBF6 
483893CC094F8863 


A35A18CBAC4C65B7 
E1179523A2541963 
A3C2D35E4F685C10 
BCEFBB6A81539E5D 
7762439BD5A851BD 


F8343BA8B94F8C0B 
63C5B9B80D294CB9 
316CC9EBEEFAD8FC 
D9C8826727D306FC 
4D8707AAB40F 7E6D 


46DB183025025078 
5F311B88904056EC 
6DD4FBC1DE60165D 
A07199D87AD058D8 
2CFC1BACI10EF4457 


306F27584F65495E 
3CC88735D1475E4B 
35BA354A9C7DF448 
92D57B736F5F170A 
BD696BE010D0D889 
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(i=12) 


BLAKE2b-512 ("abc") = 


Appendix B. 


We compute the unkeyed hash of three ASCII bytes 


v[16] 


h[8] 


BLAKE2 Crypto Hash and MAC 


12EF8A641EC4F6D6 
97DF596B0610F6FC 
217D930AA51787F3 
EE7CE1F345947AA4 
885BEF040EF6AAOB 
E813A23C60AF3B82 


0D4D1C983FA580BA 
D1A2FFDB6FBB124B 
5A92F1DBA88AD318 


BCED5DE977C9FAF5 
F42C16519AD5AFA7 
906A6FF19E573942 
F8960D6C2FAF5F5E 
A4939A417BFB78A3 
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733CA476C5148639 
AA5AC1888E10467E 
75AB709BD3DCBF24 
E332538A36B6D246 
646CBB7AF6DCE980 


E9F6129FB697276A B7C45A68142F214C 


2D79AB2A39C5877D 


239900D4ED8623B9 


BA 80 A5 3F 98 1C 4D OD 6A 
4C 21 2F 14 68 5A C4 B7 4B 
7D 87 C5 39 2A AB 79 2D C2 
18 D3 8A A8 DB F1 92 5A 


Example of BLAKE2s Computation 


27 
12 


97 B6 
BB 6F 


9F 
DB 


52 


B9 23 


" abc " 


D5 DE 
86 ED 


45 
D4 


with 


BLAKE2s-256 and show internal values during computation. 


(i=1) 


m[16] 


v[16] 


v[16] 


v[16] 


v[16] 


v[16] 


v[16] 


00636261 
00000000 
00000000 


6BO8E647 


00000000 
00000000 
00000000 


BB67AE85 


1F83D9AB 
510E527C 


16A3242E 


5SBEOCD19 
9B05688C 


D7B5E238 


00000000 
00000000 
00000000 


3C6EF 372 
6A09E667 
E07C2654 


CE8CE24B 


A44E7C31 
7A8DD50F 


3AE30FE3 
EOOSEDOC 
7F00C58E 


7A3BE783 
D4AB70D0 
D7CD7AF5 


2A8B8CB7 
3025D276 
DC854C10 


C4AA2DDB 
6F5C52DF 
0E41A517 
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41D4759B 
BE378ED7 


0982A96B 


95BF33D3 
353D1EE6 


E88185B4 


00000000 
00000000 
00000000 


A5D4FF53A 


BB67AE85 
5BE0CD19 


92 7AEDE1 
9A99C181 
3BB44C6B 


3E339B16 


D591A277 
FB847886 


997546C1 
C63CBI1AB 
AB4909DF 


1ACA82B2 
57D04DE4 
523898A9 


111343A3 
DD2C53A3 
359DC2BE 


Infor 


180B1F3A 
C544E836 


D45246DF 
6038DA9E 
85031A52 


14045D7F 
994BACFO 
CO3A0F89 


D54A700A 


678E5F8E 
87A87DDD 


mational 


FCF43914 
524ABOE2 


EDB5F821 
414594B0 
C4EDFC98 


CC7258ED 
F0982759 
47D6CD88 


574A00A9 
9718D4E9 
643F9CEC 


00000000 
00000000 


510E527F 
3C6EF372 


A7B430D9 
608A3A6B 


F24338CD 
30DB62D6 


7F98A742 
F2C218B5 


383CF67C 
F17EE300 


857D5A48 
622CB684 


95CC3345DED552C2 


12 F6 
FF A2 
33 CC 
00 99 


E9 
D1 
95 
23 


00000000 
00000000 


9B05688C 
A54FF53A 


93A4A14E 
B666383E 


0E66D326 
4847831C 


10E864E2 
8DAODCB7 


EO90E7F9 
D48FC2D5 


B1E11989 
92976076 
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(i=10) 


BLAKE2s-256 ("abc") 


Appendix C. 


v[16] 


v[16] 


v[16] 


v[16] 


v[16] 


h[8] 
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3453921C 
35ADF5C9 
F34600FB 


BE851B2D 
4119370F 
9A81A601 


07E5B85A 
3C84B971 
523878DC 


435148C4 
4FCB3120 
8078D978 


D9CIILAA 
1D9EC27D 
DEEF082E 


8C5E8C50 
4C9B994D 


= 50 
37 


D7595EE1 
9916FD65 
D7BC20FB 


A85F6358 
1E2261AA 
E7EC80F1 


069CC164 
21DBD9CF 
30715015 


A5AA2D11 
70'7ADA48 
68ADE4B5 


CFEC3AA6 
945357A5 
AF3D80E1 


E2147C32 
82596786 


8C 5E 8C 
45 8B 20 


BLAKE2b Implementation 


592E776D 
96562E89 
EB452A7B 


81E6FC3B 
A1318FD3 
ACC09948 


F9DE3141 
46699F8C 
397FEE81 


4B354173 
565B3FDE 
9778FDA3 


700D0AB2 
3E9FFEBD 
4E86829B 


A32BA7E1 


32 7C 14 
9E D6 3A 


C Source 


3ED6A974 
4EAD0792 
ECE1AA40 


0BB28000 
F4329816 
F849A584 


A56F4680 
765257EC 
4F1FA799 


D543BC9E 
32C9C916 
2863B92E 


2C38670E 
969FE811 
4DEAFD3A 


2F45EB4E 


E2 El A7 
29 4D 99 
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4D997CB3 
EBFC2712 


FA55A33A 
071783C2 


9E440AD2 
AF1D998C 


BDA2591C 
EAF4A1AB 


AF6A1F66 
EF485E21 


208B4537 


2B A3 4E 
9B 4C 86 


DE9212C3 
2385F5B2 


87BE1FAD 
6E536A8D 


9AB659EA 
75E4C3B6 


BF1D2569 
B1018F28 


1D023EF3 
A632797A 


293AD69E 


EB 45 2F 
67 59 82 


C.1. blake2b.h 
<CODE BEGINS> 
// blake2b.h 
// BLAKE2b Hashing Context and API Prototypes 


#ifndef BLAKE2B_H 
#define BLAKE2B_H 


#include <stdint.h> 
#include <stddef.h> 


// state context 
typedef struct { 


uint8_t b[128]; // input buffer 

uint64_t h[8]; // chained state 
uint64_t t[2]; // total number of bytes 
size_t c; // pointer for b[] 


size_t outlen; 
) blake2b_ctx; 


digest size 
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// Initialize the hashing context "ctx" with optional key "key". 


// 1 <= outlen <= 64 gives the digest size in bytes. 
// Secret key (also <= 64 bytes) is optional (keylen = 0). 
int blake2b_init (blake2b_ctx *ctx, size_t outlen, 

const void *key, size_t keylen); // secret key 


// Add “inlen" bytes from "in" into the hash. 
void blake2b_update (blake2b_ctx *ctx, // context 
const void *in, size_t inlen); // data to be hashed 


// Generate the message digest (size given in init). 
// Result placed in "out". 
void blake2b_final (blake2b_ctx *ctx, void *out); 


// All-in-one convenience function. 


2015 


int blake2b(void *out, size_t outlen, // return buffer for digest 
const void *key, size_t keylen, // optional secret key 
const void *in, size_t inlen); // data to be hashed 

#endif 


<CODE ENDS> 

blake2b.c 

<CODE BEGINS> 

// blake2b.c 

// A simple BLAKE2b Reference Implementation. 

#include "blake2b.h" 

// Cyclic right rotation. 

#ifndef ROTR64 

#define ROTR64(x, y) (((x) >> (y)) ^ ((x) << (64 - (y)))) 
#endif 


// Little-endian byte access. 


#define B2B_GET64 (p) \ 
(((uinté64_t) ((uint8_t *) (p))[0]) ^ \ 
(((uint64_t) ((uint8_t *) (p))[1]) << 8) * \ 
(((uint64_t) ((uint8_t *) (p))[2]) << 16) ^ \ 
(((uint64_t) ((uint8_t *) (p))[3]) << 24) * \ 
(((uint64_t) ((uint8_t *) (p))[4]) << 32) * \ 
(((uint64_t) ((uint8_t *) (p))[5]) << 40) * \ 
(((uint64_t) ((uint8_t *) (p))[6]) << 48) * \ 
(((uvint64_t) ((uint8_t *) (p))[7]) << 56)) 
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// G Mixing function. 


#define B2B_G(a, b, c, d, x, y) í \ 
v[a] = v[a] + v[b] + x; \ 
v[d] = ROTR64(v[d] ^ v[al, 32); \ 
v[c] = v[c] + vid]; \ 
v[b] = ROTR64(v[b] ^ v[c], 24); MX 
vla] = v[a] + v[b] + y; \ 
v[d] = ROTR64(v[d] ^ v[al, 16); \ 
v[c] = v[c] + vid]; \ 
v[b] = ROTR64 (v[b] ^ v[c], 63); ) 


// Initialization Vector. 

static const uint64_t blake2b_iv[8] = 
0x6A09E667F3BCC908, 
0x3C6EF372FE94F82B, 
0x510E527FADE682D1, 
0x1F83D9ABFB41BD6B, 


1 

OxBB67AE8584CAA73B 
OxA54FF53A5F1D36F1 
0x9B05688C2B3E6C1F 
Ox5BE0CD19137E2179 


y; 


// Compression function. "last" flag indic 


static void blake2b_compress (blake2b_ctx * 
{ 


const = 


7, 
13% 


uint8_t sigma[12] [16] 
Op, Wy 25-3) A A 
14, 10, 4, 8, 9, 15, 
11s (8, 12%. O Di 2y VD £37. L03 
9, 3, 1, 13, 12, 11, 14, 2, 
0, 5, 7, 2, 4, 10, 15, 14, 
t2; TO, 057 ELp “85> 3: 4y 
5, 15, 14, 13, 4, 10, 
11, e NES E 5,0 
5, 1° eee E D Oy Bi 257-2 
Diy? By 7, 6, 5, 15, 11, 
Ez 23 8, 9, 10 
10, 6, 1, 1 


1 
8, 9, 10 
Op lp t 


6 
L 1, 
6, 13 
T; 0, 


7, 
14, 


i. 
13, 
6, 
10, 
0, 
14, 


Pa A A As A As a a ss a a a 


y; 

int i; 
uint64_t v[16], m[16]; 
(i = // 
v[i] 

v[i + 8] 


EOL i < 8; i++) 
ctx->h[il; 


blake2b_iv[il; 


0; { 
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r 
r 


F 


ates last block. 
ctx, int last) 
podtdy -2r 135.24 I5 hy 
Dj Oj ld ar ey 
tåga Sp Op Ty A A 
y Dy O AO e Bo hs 
Tiy- 12%, 67 87-37 13 bh, 
E EA E E By 
Ty. O S7 a 87. AA}; 
y LD, 4), 87 6, 2, 10 +, 
yo Sige A O e 
Y LA E O 
podr DAS 145 op 
Diy Oi 2 AD Shy Dy 3} 
init work variables 
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v[12] ^= ctx->t[0]; // low 64 bits of offset 

v[13] ^= ctx->t[1]; // high 64 bits 

if (last) // last block flag set ? 
v[14] = “v[14]; 

for (i = 0; i < 16; i++) // get little-endian words 
m[i] = B2B_GET64(&ctx->b[8 * il); 

for (i = 0; i < 12; itt) { // twelve rounds 
B2B_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[il[ 1]]); 
B2B_G( 1, 5, 9, 13, m[sigma[i][ 211, m[sigma[i][ 3]]); 
B2B_G( 2, 6, 10, 14, m[sigma[i][ 411, m[sigma[i][ 5]]); 
B2B_G( 3, 7, 11, 15, m[sigma[il[ 6]], m[sigma[i][ 7]]); 
B2B_G( 0, 5, 10, 15, m[sigma[il[ 8]], m[sigma[i][ 9]]); 
B2B_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); 
B2B_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]); 
B2B_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]); 


} 


for( i = 0; i < 8; ++i ) 
ctx->h[i] ^s v[i] ^ v[i + 8]; 
} 


// Initialize the hashing context "ctx" with optional key "key". 
// 1 <= outlen <= 64 gives the digest size in bytes. 
// Secret key (also <= 64 bytes) is optional (keylen = 0). 


int blake2b_init (blake2b_ctx *ctx, size_t outlen, 
const void *key, size_t keylen) // (keylen=0: no key) 
{ 


size_t i; 


if (outlen == 0 || outlen > 64 || keylen > 64) 
return -1; // illegal parameters 
for (i = 0; i < 8; i++) // state, "param block" 


ctx->h[i] = blake2b_iv[il; 
ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen; 


ctx->t [0] = 0; // input count low word 
ctx->t [1] = 0; // input count high word 
ctx->c = 0; // pointer within buffer 


ctx->outlen = outlen; 
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for (i = keylen; i < 128; i++) // 
ctx->b[i] = 0; 
if (keylen > 0) { 
blake2b_update (ctx, key, keylen); 


ctx->c = 128; 


} 


return 0; 


} 


// 


zero input block 


at the end 


// Add “inlen" bytes from "in" into the hash. 


void blake2b_update (blake2b_ctx *ctx, 
const void *in, size_t inlen) 
{ 


size_t i; 


for (i = 0; i < inlen; i++) { 
if (ctx->c == 128) { 
ctx->t[0] += ctx->c; 
if (ctx->t[0] < ctx->c) 


ctx->t [1]++; 
blake2b_compress (ctx, 
ctx->c = 0; 


0); 


} 
ctx->b[ctx->ctt+] = 


} 


// Generate the message digest 
// Result placed in "out". 


void blake2b_final (blake2b_ctx *ctx, 
{ 


saetas 


ctx->t[0] += ctx->c; 
if (ctx->t[0] < ctx->cCc) 


ctx->t[1]++; 
while (ctx->c < 128) 
ctx->b[ctx->c++] = 0; 
blake2b_compress (ctx, 1); 
Saarinen & Aumasson Informational 


// 


((const uint8_t 


(size given 


data bytes 


buffer full ? 

add counters 

carry overflow ? 
high word 

compress (not last) 
counter to zero 


*) in) [il]; 


in init). 


void *out) 


mark last block offset 
carry overflow 
high word 


fill up with zeros 


final block flag = 1 
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// little endian convert and store 


for (i = 0; i < ctx->outlen; i++) ( 
((uint8_t *) out) [i] = 
(ctx->h[i >> 3] >> (8 * 


} 
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(i & 7))) 


November 2015 


& OXFF; 


// Convenience function for all-in-one computation. 


int blake2b(void *out, 
const void *key, 
const void *in, 


size_t outlen, 
size_t keylen, 
size_t inlen) 


blake2b_ctx ctx; 


if (blake2b_init (&ctx, outlen, key, 
return -1; 
blake2b_update(&ctx, in, inlen); 


blake2b_final (&ctx, out); 
return 0; 


} 
<CODE ENDS> 


Appendix D. BLAKE2s Implementation C Source 


D.1. blake2s.h 


<CODE BEGINS> 
// blake2s.h 


keylen) ) 


// BLAKE2s Hashing Context and API Prototypes 


#ifndef BLAKE2S_H 
#define BLAKE2S_H 


#include <stdint.h> 
#include <stddef.h> 


// state context 
typedef struct { 
uint8_t b[64]; 
uint32_t h[8]; 
uint32_t t[2]; 
size_t c; 
size_t outlen; 
} blake2s_ctx; 
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chained state 

total number of bytes 
pointer for b[] 
digest size 
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// Initialize the hashing context "ctx" with optional key "key". 


// 1 <= outlen <= 32 gives the digest size in bytes. 
// Secret key (also <= 32 bytes) is optional (keylen = 0). 
int blake2s_init (blake2s_ctx *ctx, size_t outlen, 

const void *key, size_t keylen); // secret key 


// Add “inlen" bytes from "in" into the hash. 
void blake2s_update (blake2s_ctx *ctx, // context 
const void *in, size_t inlen); // data to be hashed 


// Generate the message digest (size given in init). 
// Result placed in "out". 


void blake2s_final (blake2s_ctx *ctx, void *out); 


// All-in-one convenience function. 


int blake2s (void *out, size_t outlen, // return buffer for digest 
const void *key, size_t keylen, // optional secret key 
const void *in, size_t inlen); // data to be hashed 

#endif 


<CODE ENDS> 
D.2. blake2s.c 
<CODE BEGINS> 


// blake2s.c 
// A simple blake2s Reference Implementation. 


#include "blake2s.h" 

// Cyclic right rotation. 

#ifndef ROTR32 

#define ROTR32(x, y) (((x) >> (y)) ^ ((x) << (32 - (y)))) 
#fendif 


// Little-endian byte access. 


#define B2S_GET32 (p) \ 
(((uint32_t) ((uint8_t *) (p))[0]) ^ \ 
(((uint32_t) ((uint8_t *) (p))[1]) << 8) * \ 
(((uint32_t) ((uint8_t *) (p))[2]) << 16) ^ \ 
(((uint32_t) ((uint8_t *) (p))[3]) << 24)) 
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// Mixing function G. 


define B2S_G(a, b, c, d, x, y) { \ 
v[a] = v[a] + v[b] + x; \ 
v[d] = ROTR32(v[d] ^ vlal, 16); \ 
v[c] = v[c] + vid]; \ 
v[b] = ROTR32(v[b] ^ v[c], 12); \ 
via] = v[a] + v[b] + y; \ 
v[d] = ROTR32(v[d] ^ vlal, 8); \ 
v[c] = v[c] + vid]; \ 
v[b] = ROTR32(v[b] ^ v[c], 7); ) 


// Initialization Vector. 


static const uint32_t blake2s_iv[8] 


{ 


Ox6A09E667, 
0x510E527F, 
y; 


// Compression f 


static void blak 
{ 

const 
0, 
14, 
11, 


1, 
10 
8, 

9, 


e As A a A As a ss HH 


y; 

int. ds 
uint32_t v[1 
(i 


v[i] Cc 
v[i + 8] 


for 0; 


} 


v[12] *= ctx 
v[13] *= ctx 
if (last) 

v[14] 
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OxBB67AE85, 
0x9B05688C, 


0x3C6EF372, 
0x1F83D9AB, 
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OxA54FF53A, 
Ox5BE0CD19 


uint8_: 


unction. "last" 


e2s_compress (blake2s_ctx *ctx, int last) 


t sigma[10] [16] 


{ 
87 Oe 105 thy 12y L3; 


November 2015 


flag indicates last block. 


2, 3,4, 5, 6,7, 14, 15 }, 
p Ar De 15, NS 6; Lr i2 0r 2r ily my Sr 3n Ey 
LOS Oe Sy D4, 15; 13 Os LA By dr SpA y 
37 Ly 13,12, 11, A 2y “6,5, LO 4, Oy £5; 8 by 
5p. Ta Ay O a I. a, a T2 6, 8y 8 18 sg 
6, 10, 0O, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, 
dg. BS Etj Ey Ay LO O Wy by, 37 Lio gyr LL Ey 
z Ty A Vy chy Sa 9% 0 ES Ar 87 Or 2y TO kz 
iag De A e A Ly Mg LO S hy 
8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0O} 

6], m[16]; 
i < 8; i++) { // init work variables 
tx->h[i]; 
= blake2s_iv[il; 
=>t [0]; // low 32 bits of offset 
->t [1]; // high 32 bits 
// last block flag set ? 
“v [14]; 
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for (i = 0; i < 16; i++) // get little-endian words 
m[i] = B2S_GET32(&ctx->b[4 * il); 


for (i = 0; i < 10; i++) { // ten rounds 
B2S_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[il[ 1]]); 
B2S_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); 
B2S_G( 2, 6, 10, 14, m[sigma[i][ 411, m[sigma[i][ 5]]); 
B2S_G( 3, 7, 11, 15, m[sigma[il[ 6]], m[sigma[i][ 7]]); 
B2S_G( 0, 5, 10, 15, m[sigma[il[ 8]], m[sigma[i]l[ 9]]); 
B2S_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); 
B2S_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]); 
B2S_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]); 


} 


for( i = 0; i < 8; ++i ) 
ctx->h[i] *= v[i] * v[i + 8]; 
} 


// Initialize the hashing context "ctx" with optional key "key". 
// 1 <= outlen <= 32 gives the digest size in bytes. 
// Secret key (also <= 32 bytes) is optional (keylen = 0). 


int blake2s_init (blake2s_ctx *ctx, size_t outlen, 
const void *key, size_t keylen) // (keylen=0: no key) 
{ 


size_t i; 


if (outlen == 0 || outlen > 32 || keylen > 32) 
return -1; // illegal parameters 
for (i = 0; i < 8; i++) // state, "param block" 


ctx->h[i] = blake2s_iv[il; 
ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen; 


ctx->t [0] = 0; // input count low word 
ctx->t [1] = 0; // input count high word 
ctx->c = 0; // pointer within buffer 


ctx->outlen = outlen; 


for (i = keylen; i < 64; i++) // zero input block 
ctx->b[i] = 0; 

if (keylen > 0) { 
blake2s_update(ctx, key, keylen); 
ctx->c = 64; // at the end 

} 


return 0; 
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// Add "inlen" bytes from "in" into the hash. 


void blake2s_update (blake2s_ctx *ctx, 
const void *in, size_t inlen) // data bytes 


{ 


Sizet ds 


for (i = 0; i < inlen; i++) { 

if (ctx->c == 64) { // buffer full ? 
ctx->t[0] += ctx->c; // add counters 
if (ctx->t[0] < ctx->c) // carry overflow ? 

ctx->t [1]++; // high word 

blake2s_compress (ctx, 0); // compress (not last) 
ctx->c = 0; // counter to zero 

} 

ctx->b[ctx->ct+] = ((const uint8_t *) in) [i]; 


} 


// Generate the message digest (size given in init). 
// Result placed in "out". 


void blake2s_final (blake2s_ctx *ctx, void *out) 


{ 


size_t i; 


ctx->t[0] += ctx->c; // mark last block offset 

if (ctx->t[0] < ctx->c) // carry overflow 
ctx->t[1]++; // high word 

while (ctx->c < 64) // fill up with zeros 
ctx->b[ctx->ct+] = 0; 

blake2s_compress (ctx, 1); // final block flag = 1 


// little endian convert and store 


for (i = 0; i < ctx->outlen; itt) ( 
((uint8_t *) out) [i] = 
(ctx->h[i >> 2] >> (8 * (i € 3))) & OXFF; 


} 
// Convenience function for all-in-one computation. 
int blake2s(void *out, size_t outlen, 

const void *key, size_t keylen, 


const void *in, size_t inlen) 


blake2s_ctx ctx; 
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if (blake2s_init(&ctx, outlen, key, 
return -1; 
blake2s_update(&ctx, in, inlen); 


blake2s_final(&ctx, out); 
return 0; 


} 
<CODE ENDS> 


Appendix E. 


BLAKE2 Crypto Hash and MAC 


November 2015 


keylen) ) 


BLAKE2b and BLAKE2s Self-Test Module C Source 


This module computes a series of keyed and unkeyed hashes from 
deterministically generated pseudorandom data and computes a hash 


over those results. 


This is a fairly exhaustive, 


yet compact and 


fast method for verifying that the hashing module is functioning 


correctly. 


Such testing is RECOMMENDED, 


especially when compiling the 


implementation for a new a target platform configuration. 


Furthermore, 


Power-On Self Test (POST) 


<CODE BEGINS> 
// test _main.c 


some security standards, 


such as FIPS-140, 
to be performed every time the 
cryptographic module is loaded [FIPS140-2IG]. 


// Self test Modules for BLAKE2b and BLAKE2s 


#include <stdio.h> 


"blake2b.h" 
"blake2s.h" 


#include 
#include 


// Deterministic sequences 


static void selftest_seq(uint8_t *out, 


{ 


size_t i; 


ULNES t Es ay b? 
a = OxDEAD4BAD * seed; 
b= 1; 
for (i = 0; i < len; i++) { 
t = a + b; 
a = b; 
b =t; 
out[i] = (t >> 24) £ OXFF; 
) 
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size_t len, 


may require a 


-- and a stub main(). 


(Fibonacci generator). 


uint32_t seed) 


// prime 


// fill the buf 
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} 
// BLAKE2b self-test validation. Return 0 when OK. 


int blake2b_selftest () 

{ 
// grand hash of hash results 
const uint8_t blake2b_res[32] = { 


November 2015 


0xC2, Ox3A, 0x78, 0x00, OxD9, 0x81, 0x23, OxBD, 
0x10, OxF5, 0x06, 0xC6, OxlE, 0x29, OxDA, 0x56, 
0x03, OxD7, 0x63, 0xB8, OxBB, OxAD, Ox2E, 0x73, 
Ox7F, Ox5E, 0x76, Ox5A, Ox7B, OxCC, OxD4, 0x75 
y; 
// parameter sets 
const size_t b2b_md_len[4] = { 20, 32, 48, 64 }; 
const size_t b2b_in_len[6] = { 0, 3, 128, 129, 255, 1024 }; 
size_t i, j, outlen, inlen; 
uint8_t in[1024], md[64], key[64]; 
blake2b_ctx ctx; 
// 256-bit hash for testing 
if (blake2b_init (&ctx, 32, NULL, 0)) 
return -1; 
for (i = 0; i < 4; i++) { 
outlen = b2b_md_len[i]; 
for (j = 0; j < 6; j++) { 
inlen = b2b_in_len[j]; 
selftest_seq(in, inlen, inlen); // unkeyed hash 


blake2b(md, outlen, NULL, 0, in, inlen); 
blake2b_update(&ctx, md, outlen); // hash the hash 


selftest_seq(key, outlen, outlen); // keyed hash 


blake2b(md, outlen, key, outlen, in, inlen); 


blake2b_update(&ctx, md, outlen); // hash the hash 


} 


// compute and compare the hash of hashes 
blake2b_final (&ctx, md); 
for (i = 0; i < 32; i++) { 
if (md[i] != blake2b_res[i]) 
return -1; 


} 


return 0; 
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} 


// BLAKE2s self-test validation. Return 0 when OK. 


int blake2s_selftest () 


{ 
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// Grand hash of hash results. 

const uint8_t blake2s_res[32] = { 
Ox6A, 0x41, 0x1F, 0x08, OxCE, 0x25, OxAD, OxCD, 
OxFB, 0x02, OxAB, OxA6, 0x41, 0x45, 0x1C, OxEC, 
0x53, OxC5, 0x98, OxB2, Ox4F, Ox4F, OxC7, 0x87, 
OxFB, OxDC, 0x88, 0x79, Ox7F, Ox4C, Ox1D, OxFE 


// Parameter sets. 
const size_t b2s_md_len[4] = { 16, 20, 28, 32 ); 
const size_t b2s_in_len[6] 64, 65, 255, 1024 }; 


| 
A 
o 

x 
Ww 

x 


size_t i, j, outlen, inlen; 
uint8_t in[1024], md[32], key[32]; 
blake2s_ctx ctx; 


// 256-bit hash for testing. 
if (blake2s_init (&ctx, 32, NULL, 0)) 
return -1; 


for (i = 0; i < 4; itt) { 
outlen b2s_md_len[i]; 
for (j = 0; j < 6; j++) { 
inlen = b2s_in_len[j]; 


selftest_seq(in, inlen, inlen); // unkeyed hash 
blake2s (md, outlen, NULL, 0, in, inlen); 
blake2s_update(&ctx, md, outlen); // hash the hash 


selftest_seq(key, outlen, outlen); // keyed hash 
blake2s (md, outlen, key, outlen, in, inlen); 
blake2s_update(&ctx, md, outlen); // hash the hash 


} 


// Compute and compare the hash of hashes. 
blake2s_final(&ctx, md); 
for (i = 0; i < 32; i++) { 
if (md[i] != blake2s_res[i]) 
return -1; 


} 


return 0; 
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} 
// Test driver. 


int main(int argc, char **argv) 


{ 


printf ("blake2b_selftest() = %s\n", 
blake2b_selftest() ? "FAIL" : "OK"); 

printf ("blake2s_selftest() = %s\n", 
blake2s_selftest() ? "FAIL" : "OK"); 


return 0; 


} 
<CODE ENDS> 
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